November 28, 2006 4:11 PM PST
Apple Mac OS X patch plugs 31 vulnerabilities
Apple's Security Update 2006-007 includes fixes for flaws in Apple's own code as well as third-party components that ship with the Mac OS X operating system, such as Perl, PHP and OpenSSL. Several of the vulnerabilities could allow full system compromises, according to Apple's security alert.
However, Apple's update does not address all publicly known flaws in the operating system. Over the past few weeks bug hunters, as part of an initiative called the Month of the Kernel Bugs, have published details on several new vulnerabilities in Mac OS X. One of those was tagged "highly critical" by security-monitoring company Secunia.
"Apple hasn't fixed any of the bugs published during the Month of Kernel Bugs, except for the AirPort issue," said "LMH," the code name of the security researcher who started the Month of the Kernel Bugs. "Apple users are still exposed to any potential risks related to those unpatched issues."
The security hole in the AirPort driver software affects Macs that shipped with Apple's original AirPort card, Apple said. An attacker nearby the computer could commandeer a vulnerable system by sending it a malicious network packet, according to Apple's alert.
Other flaws addressed by the Apple update could let Macs be compromised through malicious sites, rigged compressed files or malicious font files, Apple said. The update also fixes four flaws in the Mac OS X Security Framework, the worst of which could crash Macs or display expired security certificates as still valid, Apple said.
The Security Update 2006-007 for Mac OS X client and server software is available from the Software Update pane in Mac OS System Preferences, or Apple's downloads Web site. Apple recommends Mac users install it.